orchestrator
8 TopicsImplementing SSL Orchestrator - L2 Service Configuration (Palo Alto)
Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on configuring a 3rd party, inline Layer 2 security device and everything you need to know about it. This article covers the configuration of a Palo Alto NGFW running PAN-OS version 9.0.3. Please forgive me for using SSL and TLS interchangeably in this article. The simplest Palo Alto deployment is in Layer 2, or Virtual Wire mode.This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out the other interface. From the Palo Alto UI go to the Network tab > Interfaces. Click the name (ethernet1/X) of the interface you wish to configure. Set the Interface Type to Virtual Wire and the Security Zone to trust.Click OK. Do the same for the next interface. Click the name of one of the interfaces configured previously.Click Virtual Wire > New Virtual Wire. Give it a name.Select the 2 interfaces configured previously.Click OK and OK. You will need to Commit the changes for them to take effect. Note: setting the Security Zone to trust is needed for the F5 Health Monitors to work. Summary In this article you learned how to configure a Palo Alto NGFW in Layer 2 mode. Configuration of Palo Alto NGFW can be downloaded fromherefrom GitLab. Next Steps Contact Palo Alto Networks if you need additional assistance with their products. Click Next to proceed to the next article in the series.999Views1like3CommentsImplementing SSL Orchestrator - Explicit Proxy Service Configuration (Cisco WSA)
Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on configuring a 3rd party, Explicit Proxy security device and everything you need to know about it. This article covers the configuration of Cisco Web Security Appliance (WSA) running version 11.8. Please forgive me for using SSL and TLS interchangeably in this article. A common Cisco WSA deployment mode is as an Explicit Proxy.The WSA proxy is completely transparent to the user but the BIG-IP will connect to it as an Explicit Proxy. The default settings for Cisco WSA will work with SSL Orchestrator.Keep in mind that: 1)By default WSA accepts connections on ports 80 & 3128.If you changed this you will have to specify the correct port when configuring SSLO. 2)It is assumed you are using WSA security features like URL categorization, Anti-Malware, Reputation filtering, etc. 3)It is recommended to use separate ethernet ports for Management and Data, similar to the image below. Summary In this article you learned how to configure a Cisco WSA in Explicit Proxy mode. Configuration of Cisco WSA can be downloaded fromherein GitLab. Next Steps Click Next to proceed to the next article in the series. Contact Cisco if you need additional assistance with their products.799Views1like0CommentsImplementing SSL Orchestrator - L2 Service Configuration (Firepower)
Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on configuring a 3rd party, inline Layer 2 security device and everything you need to know about it. This article covers the configuration of Cisco Firepower running version 6.4. Please forgive me for using SSL and TLS interchangeably in this article. A common Firepower deployment mode is in Layer 2, using “Inline Sets”.This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out the other interface. Firepower Management Center must be used when configuring this because Firepower Device Manager does not support the configuration of Inline Sets. From the Firepower Management Center click Devices.It should look like the following. Double click the Name of the Firepower device you want to configure. This should bring you to the Interfaces screen.We will be configuring Ethernet 1/3 and 1/4.Click the pencil on the right to edit Ethernet 1/3. Enable the interface and give it a name, “frombigip11” in this example.Click OK. Repeat these steps for Ethernet 1/4, giving it a unique name too. It should look like the following. Notes: when configuring for High Availability repeat these steps for another Ethernet pair, like 1/5 and 1/6. Go to the Inline Sets tab and click Add Inline Set. Give it a Name, inlineset11 in this example.The Interface Pair should appear on the left.Select it and click Add to move it to the right.Then click OK. Notes: when configuring for High Availability repeat these steps for the other Interface Pair. Click Save and then Deploy. Check the box next to the Firepower device you configured and click Deploy.This process may take several minutes. When done, the screen should look like this. Summary In this article you learned how to configure Cisco Firepower in Layer 2 mode. Configuration of Cisco Firepower can be downloaded from here in GitLab. Next Steps Click Next to proceed to the next article in the series. Contact Cisco if you need additional assistance with their products.560Views0likes0CommentsVMware vCenter Orechestrator "Create Pool"
Hello, i want to create a pool with the VMware Orechestrator Plugin from F5. When i fill in all inforamtions for the workflow (LTM instance; Name for pool and Methos, for example LB_METHOD_ROUND_ROBIN). I choose the method "round_robin". When i start the Workflow with this Information i get the following Error Message: {"code":400,"message":"Status code:400, uri:http://localhost:8110/tm/ltm/pool, body: {\"errorResponse\":\"{\\"error\\":{\\"code\\":400,\\"message\\":\\"invalid property value \\\\"load-balancing-mode\\\\":\\\\"Round_robin\\\\"\\"}}\",\"errorStack\":[]}","originalRequestBody":"{\"errorResponse\":\"{\\"error\\":{\\"code\\":400,\\"message\\":\\"invalid property value \\\\"load-balancing-mode\\\\":\\\\"Round_robin\\\\"\\"}}\",\"errorStack\":[]}","restOperationId":13591588,"errorStack":["java.net.ProtocolException: Status code:400, uri:http://localhost:8110/tm/ltm/pool, body: {\"errorResponse\":\"{\\"error\\":{\\"code\\":400,\\"message\\":\\"invalid property value \\\\"load-balancing-mode\\\\":\\\\"Round_robin\\\\"\\"}}\",\"errorStack\":[]}","at com.f5.rest.common.RestRequestSender.finish(RestRequestSender.java:412)","at com.f5.rest.common.RestRequestSender.processNext(RestRequestSender.java:397)","at com.f5.rest.common.RestHelper$2.run(RestHelper.java:1478)","at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)","at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)","at java.lang.Thread.run(Unknown Source)\n"]} (Dynamic Script Module name : createPool4) Also i get this Error messages when i choose other Methods. Does someone have a solution for this Problem ? I am using a virtual edition of the BIG-IP 11.4.1 Build 608.0 Final. regards549Views0likes4CommentsHow can I achieve SSL orchestrator daisy chain while receiving on a certain IP
Hi; I want the SSL orchestrator to receive traffic on port 8080, decrypt it, then load balance it among a group of Proxy SG appliances, then load balance it among a group of IPs devices and finally encrypt it and send it to the upstream router then the Internet. My intention though is to set all users' browsers explicitly to point at an IP address on the F3 orchestrator listening on port 8080. Can this be done? Kindly Wasfi322Views0likes0CommentsOrchestrator Plugin "create virtual server" Error
Hello, i have again a little Problem when i wanted to create a virtual server with the F5 Orechestrator Plugin for VMware, there is a parameter "profileContextType". When i tip in the example "PROFILE_CONTEXT_TYPE_ALL" i get the following Error Code: Unable to add profile to virtual server. Error is {"code":400,"message":"Status code:400, uri:"> body: {\"errorResponse\":\"{\\"error\\":{\\"code\\":400,\\"message\\":\\"invalid property value \\\\"context\\\\":\\\\"PROFILE_CONTEXT_TYPE_ALL\\\\"\\"}}\",\"errorStack\":[]}","originalRequestBody":"{\"errorResponse\":\"{\\"error\\":{\\"code\\":400,\\"message\\":\\"invalid property value \\\\"context\\\\":\\\\"PROFILE_CONTEXT_TYPE_ALL\\\\"\\"}}\",\"errorStack\":[]}","restOperationId":93017,"errorStack":["java.net.ProtocolException: Status code:400, uri:"> body: {\"errorResponse\":\"{\\"error\\":{\\"code\\":400,\\"message\\":\\"invalid property value \\\\"context\\\\":\\\\"PROFILE_CONTEXT_TYPE_ALL\\\\"\\"}}\",\"errorStack\":[]}","at com.f5.rest.common.RestRequestSender.finish(RestRequestSender.java:412)","at com.f5.rest.common.RestRequestSender.processNext(RestRequestSender.java:397)","at com.f5.rest.common.RestHelper$2.run(RestHelper.java:1478)","at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)","at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)","at java.lang.Thread.run(Unknown Source)\n"]} (Dynamic Script Module name : createVirtualServer16) I think the Problem is that the example is the SOAP Interface and i am using the REST Interface. Does someone knows the command for the REST Interface ? Regards256Views0likes1CommentMicrosoft Orchestrator monitoring pool status
Our orchestrator environment has the icontrol packs installed for F5 but I cant seem to figure out how to get it to do a simple runbook using them. I Wanted to see if anyone had steps or could provide a little guidance on how to get a runbook created to send emails on statuses for pools and its members. I have the getmemberstatus added and the only parameters I see that are needed are poolname and active node. I've added the pool name but not sure what node is active considering i have 4 in the pool. I just want it to send me an email saying if the pool is up or not. Thanks.226Views0likes0Comments